Running a company is not just all about getting the product or service out there and bringing in revenue. There are numerous considerations to make in order to steer the business effectively and mitigate risk factors along the way. Compliance is one of these areas, with legislation such as the EU Whistleblowing Directive and Markets in Financial Instruments Directive (MiFID II) placing multiple obligations on organisations. To help understand the challenges that you could face due to regulations in the territories in which you operate, a compliance risk assessment matrix is a useful tool.
In recent years, there have been a series of compliance issues that led to organisations receiving fines in the EU, including:
- In March 2022, Ireland’s Data Protection Commission (DPC) fined Facebook’s parent company Meta €17 million for 12 breaches of personal data.
- In November 2021, the EU General Court dismissed an appeal by search giant Google over a €2.4 billion fine for market abuse.
In order to help your business avoid similar sanctions, creating a risk matrix for compliance will allow you to tackle your greatest risks before they result in non-compliance. This article explores why you need the matrix and how to use it.
1. What is a compliance risk assessment matrix?
A compliance risk assessment matrix is a visual representation of the severity of the compliance risks to a company. It is a way of simplifying the information that you populate in a risk assessment related to compliance matters and provides an easy-to-understand overview of the severity and likelihood of risk factors causing issues for your company.
You usually colour-code the risks on the matrix, ranging from green, for those risks that are least likely to occur and to have minimal impact on the business, to red for risks that are likely to happen and, if they do, will affect the business most keenly.
2. How does a compliance risk assessment matrix help?
2.1 It helps you prioritise risks
When you work through your compliance risks and assess them on your probability vs severity criteria, you gain a better understanding of which risks you should seek to mitigate with the most urgency.
Your compliance function is unlikely to have the time or finances to tackle every risk relating to your organisation. A risk assessment matrix makes it simple to gain oversight on which risks are most imminent and, therefore, where to dedicate your resources most effectively.
2.2 Helps fine-tune your risk management strategy
Once you understand the risks most likely to occur in the near future, you can also analyse the severity of these risks to more closely target those that could be most damaging.
For example, you might decide that a low-impact imminent threat would not be a disaster for the business and that you would be better advised to concentrate on a high-risk threat that is looming in the medium to long term.
2.3 Finesses policies and procedures
By understanding the risks that face your organisation and their severity, you are better prepared to determine whether your current policies and procedures are fit for purpose.
You may have implemented a policy previously that attempted to mitigate a threat. By filling in your compliance risk assessment, you can understand whether it is still a threat and whether the policy is still sufficient to ease the risk to the business.
For example, investment firms can automate trade monitoring if they feel like they are exposed to too great a risk of conflicts of interest from employees’ personal trading. Using TradeLog provides a pre-clearance system that helps you remain compliant. It prevents employees from making those trades that would cause a conflict of interest.
2.4 Improves risk monitoring and management
Risk doesn’t remain static. The risk landscape shifts continuously, and that means that you cannot rest on your laurels when it comes to your compliance efforts. Thankfully, the action of creating your compliance risk assessment matrix helps you monitor risks more effectively.
By regularly assessing risk and prioritising the threats to the organisation, you can gauge which risk factors are increasing, which are declining and how you can best manage these changes within your compliance efforts.
3. How to fill in your compliance risk assessment matrix
3.1 Set objectives
With every business endeavour, setting objectives is important, as it informs all of the work that needs to be completed before you can take advantage of the opportunities available.
Meet with stakeholders to discuss what you want to achieve and how best to achieve it. Think about your compliance strategy and objectives, and then consider how the risk assessment can feed into that to protect the business from the most impactful compliance risk.
For example, the objective of your matrix might be to:
- Show the risk profile in a clear, simple manner
- Inform your compliance strategy
- Create an executive summary of compliance risk for senior leaders
- Review the success of your policies and procedures
- Identify gaps in your compliance programme and areas in which you can improve.
3.2 Identify hazards
Once you know where you want to go with the matrix, you need to add all of the compliance risks that affect your business. Consult with your stakeholders to compile a comprehensive list of risks that you will enter into the matrix.
Carry out a risk identification survey to gain the widest insight into the compliance risk landscape. It is important to involve as many voices as you can. Risk is subjective, so there may be elements suggested that need to go into your matrix that you may not have considered.
Once you have identified risks, you should note down the driving force behind each risk. It might be a law, ruling, policy, procedure or piece of legislation that determines it to be a risk to compliance. Whatever the background is, understanding where the risk comes from helps you mitigate it in the future.
For example, if you regularly have access to multiple pieces of inside information within your business, the Market Abuse Regulation could be the driver behind much of your risk. Using InsiderLog to efficiently and effectively manage your insider lists would be a quick compliance win, logging all changes and automating reminders to insiders to acknowledge their responsibilities.
3.3 Select your risk criteria
You have to decide on the criteria on which you evaluate and prioritise the risk factors facing your organisation. The usual criteria in a compliance risk assessment matrix are:
Probability | The likelihood that a risk factor will happen to the business |
Severity | The likely impact that risk factor would have on the organisation if it did occur |
You should decide how you rate risks within these two criteria, too. Will you rate each risk as low, medium or high for both criteria or use a scale with a rating of between one and five, for example? It depends on how specific you want to be about the threat levels.
Once you have decided on a rating scale, you will eventually multiply the probability by the severity to find your risk factor. Here is an example of giving low, medium and high ratings at 1,2 and 3, respectively. This means that a risk factor that is likely to happen (3) but would cause low impact (1) would have a risk factor of 3. A medium likelihood (2) of a severe impact risk (3) would deliver a risk factor of 6.
Below is an example of how to calculate risk ratings in a compliance risk assessment matrix.
3.4 Analyse the risks you’ve identified
Following discussions with your stakeholders, calculate how severe and how probable each of your risks is. Provide each of them with their score for both criteria and enter them into your compliance matrix.
Based on the rating system that you are using, the matrix will calculate the risk factor of each threat to your organisation.
You can instantly view the compliance landscape for your business, with ratings for each of the risks that give you an indication of where the greatest threats lie.
3.5 Create an action plan
With this insight, you can now see where your priorities should be focused when it comes to formulating your future compliance programme.
The calculation gives you a clearer idea of the most pressing compliance concerns, offering an objective view over an often subjective area of the business. Formulate an action plan and assess the policies you have in place already to mitigate risk.
It could be that there is an area of risk that is more pressing than you previously believed. In this case, you must implement procedures to prevent it from affecting the company. If a risk area is now less concerning than before, you could consider moving resources from that area to another.
As part of your action plan, implementing a streamlined confidential whistleblowing reporting system can help you identify risky behaviour before it becomes a major issue. Using IntegrityLog allows employees and other stakeholders to make reports of misconduct that are confidential. Encouraging early reporting helps you stay ahead of compliance issues and make changes before it is too late.
4. How do you determine how likely a risk is?
Depending on your rating system, you have to quantify the likelihood of a risk event happening. This could work like this:
Chances of risk happening | Risk level |
<10% | Highly unlikely |
11 – 40% | Unlikely |
41 – 60% | Possible |
61 – 90% | Likely |
>90% | Highly likely |
Using this basis, you can work with stakeholders to determine the likelihood of risks.
5. Compliance risk assessment matrix template
This risk assessment matrix template from TeamGannt will help you create your own matrix that will allow you to visualise risk more easily.
6. FAQs
6.1 How often should you update your compliance risk assessment matrix?
As compliance moves quickly, you must update your matrix multiple times per year. The hardest work comes with creating the document in the first place, but you should still assemble a team of stakeholders to ensure your matrix remains relevant throughout the year.
6.2 What are the challenges of creating a risk matrix?
One of the challenges of a risk matrix is that you categorise risks incorrectly. This is why you should assemble a team to debate and help the process. Otherwise, you could base decisions on incomplete information that leads to the company going down the wrong course.
6.3 What do you do with risk matrix results?
Your risk matrix results help you inform your compliance policies going forward. They enable you to allocate resources effectively and insulate the business from a number of risks.
7. Conclusion
A compliance risk assessment matrix is a key tool in identifying and prioritising risk to the organisation. It can guide your efforts going forward and allow you to prevent serious risk events from hampering the progress of the business. One way to mitigate risk is to use compliance solutions to digitise and streamline your processes.
ComplyLog offers a suite of tools to help you do that:
- IntegrityLog enables you to fulfil the regulatory requirements relating to whistleblowing reports in EU member states.
- InsiderLog helps you automate your insider list management as per MAR.
- TradeLog makes managing employee personal trading easier and faster.
To find out more about how ComplyLog aids your business, request a free demo today.
8. References and Further Reading
Share this post
Article Summary
- 1. What is a compliance risk assessment matrix?
- 2. How does a compliance risk assessment matrix help?
- 2.1 It helps you prioritise risks
- 2.2 Helps fine-tune your risk management strategy
- 2.3 Finesses policies and procedures
- 2.4 Improves risk monitoring and management
- 3. How to fill in your compliance risk assessment matrix
- 3.1 Set objectives
- 3.2 Identify hazards
- 3.3 Select your risk criteria
- 3.4 Analyse the risks you’ve identified
- 3.5 Create an action plan
- 4. How do you determine how likely a risk is?
- 5. Compliance risk assessment matrix template
- 6. FAQs
- 6.1 How often should you update your compliance risk assessment matrix?
- 6.2 What are the challenges of creating a risk matrix?
- 6.3 What do you do with risk matrix results?
- 7. Conclusion
- 8. References and Further Reading